On September 17, 2012, Massachusetts Eye and Ear Infirmary, a Boston area hospital, has agreed to pay $1.5 million to the U.S. Department of Health and Human Services to settle allegations of violations of the HIPAA Security Rule. The hospital was investigated by the Office of Civil Rights (OCR) after the hospital submitted a breach report in April of 2010 notifying the OCR of the theft of a personal laptop containing unencrypted electronic protected health information (PHI) of hospital patients and research subjects.

OCR’s subsequent investigation discovered that the hospital failed to comply with various requirements of the HIPAA Security Rule when it failed to...

Thompson Coburn LLP |One US Bank Plaza | St. Louis, MO 63101 Boston-Area Hospital to Pay $1.5 Million to Settle HIPAA Violations Over Security Breach On September 17, 2012, Massachusetts Eye and Ear Infirmary, a Boston area hospital, has agreed to pay $1.5 million to the U.S. Department of Health and Human Services to settle allegations of violations of the HIPAA Security Rule. The hospital was investigated by the Office of Civil Rights (OCR) after the hospital submitted a breach report in April of 2010 notifying the OCR of the theft of a personal laptop containing unencrypted electronic protected health information (PHI) of hospital patients and research subjects. OCR’s subsequent investigation discovered that the hospital failed to comply with various requirements of the HIPAA Security Rule when it failed to: • Conduct a risk analysis of the confidentiality of PHI maintained on portable devices; • Implement security measures to protect the confidentiality of the electronic PHI hospital created, maintained and transmitted via portable devices; • Secure PHI contained in portable devices via encryption or to document the rationale for not using encryption; • Adopt policies that restricted access to electronic PHI to only authorized users of the portable devices; and • Adopt policies that addressed the proper way to identify, report and respond to security incidents like a laptop theft. OCR’s investigation concluded that these failures had occurred over an extended period of time, demonstrating a long-term disregard for Security Rule requirements. In addition to the $1.5 million settlement, the hospital agreed to follow a corrective action plan that calls for the review, revision and maintenance of its policies to ensure future compliance with the Security Rule. The hospital also agreed to retain an independent monitor who will conduct assessments of the hospital’s compliance with the corrective action plan and render semi-annual reports to the OCR for the next three years. This latest OCR enforcement action demonstrates that the agency is continuing to step up its enforcement efforts and can impose significant financial penalties for non-compliance with HIPAA. A copy of the settlement agreement and corrective action plan can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreementpdf.pdfIf you have questions on this or any Health Care issue you may contact your Thompson Coburn attorney or one of the Health Care Practice Group attorneys listed below: Thompson Coburn LLP Chicago | St. Louis | Southern Illinois | Washington, D.C. Allen D. Allred 314-552-6001 aallred@thompsoncoburn.com Don L. Daniel 314-552-6379 ddaniel@thompsoncoburn.com James L. Fogle 314-552-6035 jfogle@thompsoncoburn.com Evan Raskas Goldfarb 314-552-6198 egoldfarb@thompsoncoburn.com A. Jay Goldstein 312-580-2207 agoldstein@thompsoncoburn.com Milada R. Goturi 202-585-6951 mgoturi@thompsoncoburn.com James F. Gunn 314-552-6189 jgunn@thompsoncoburn.com Joyce Harris Hennessy 314-552-6165 jhennessy@thompsoncoburn.com Robert N. Kamensky 312-580-2247 rkamensky@thompsoncoburn.com Richard J. Lang 312-580-2220 rlang@thompsoncoburn.com Jan Paul Miller 314-552-6365 jmiller@thompsoncoburn.com Tonya M. Oliver 314-552-6119 toliver@thompsoncoburn.com Claire M. Schenk 314-552-6462 cschenk@thompsoncoburn.com This newsletter is intended for information only and should not be considered legal advice. If you desire legal advice for a particular situation you should consult an attorney. The ethical rules of some states require us to identify this as attorney advertising material. The choice of a lawyer is an important decision and should not be based solely upon advertisements.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

All the intelligence you need, in one easy email:

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.